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ABSTRACT 

Compositional proof systems not only enable the stepwise 
development of concurrent processes but also provide a ba- 
sis to alleviate the state explosion problem associated with 
model checking. An assume-guaxantee style of specification 
and reasoning has long been advocated to achieve compo- 
sitionality. However, this style of reasoning is often non- 
trivial, typically requiring human input to determine appro- 
priate assumptions. In this paper, we present novel assume- 
guarantee rules in the setting of finite labelled transition 
systems with blocking communication. We show how these 
rules can be applied in an iterative and fully automated 
■fashion within a framework based on learning. 
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1. INTRODUCTION 

Our work is motivated by an ongoing project at NASA Ames 
Research Center on the application of model checking to the 
verification of autonomous software. Autonomous software 
involves complex concurrent behaviors for reacting to exter- 
nal stimuli without human intervention. Extensive verifica- 
tion is a pre-requisite for the deployment of missions that 
involve autonomy. 

Given a finite model of a system and of a required prop- 
erty, model checking can be used to determine automatically 
whether the property is satisfied by the system. The limi- 
tation of this approach, commonly referred to as the “state- 
explosion” problem [7], is that it needs to store the explored 
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system states in memory, which may be prohibitively large 
for realistic systems. 

Compositional verification presents a promising way of ad- 
dressing state explosion. It advocates a “divide and con- 
quer” approach where properties of the system are decom- 
posed into properties of its components, so that if each com- 
ponent satisfies its respective property, then so does the en- 
tire system. Components are therefore model checked sepa- 
rately. It is often the case, however, that components only 
satisfy properties in specific contexts (also called environ- 
ments). This has given rise to the application of assume- 
guarantee reasoning [16, 21] to model checking [11]. 

Assume-guarantee 1 reasoning first checks whether a compo- 
nent M guarantees a property P, when it is part of a system 
that satisfies an assumption A. Intuitively, A characterizes 
all contexts in which the component is expected to operate 
correctly. To complete the proof, it must also be shown that 
the remaining components in the system, i.e., M’s environ- 
ment, satisfy A. Several frameworks have been proposed [16, 
21, 6, 14, 24, 15] to support this style of reasoning. However, 
their practical impact has been limited because they require 
non-trivial human input in defining assumptions that are 
strong enough to ' eliminate false violations, but that also 
reflect appropriately the remaining system. 

In previous work [8] , we developed a novel framework to per- 
form assume-guarantee reasoning in an iterative and fully 
automatic fashion; the approach uses learning and model- 
checking. To check that a system made up of components 
Mi and M 2 satisfies a property P, our framework automat- 
ically learns and refines assumptions for one of the compo- 
nents to satisfy P, which it then tries to discharge on the 
other component. Our approach is guaranteed to terminate, 
stating that the property holds for the system, or returning 
a counterexample if the property is violated. 

This work introduces a variety of sound and complete assume- 
guarantee rules in the setting of Labeled Transition Systems 
with blocking communication. The rules are motivated by 
the need for automating assume-guarantee reasoning. How- 


1 The original terminology for this style of reasoning was 
rely-guarantee or assumption-commitment; it was intro- 
duced for enabling top-down development of concurrent sys- 
tems. 


ever, in contrast to our previous work, they are symmetric, 
meaning that they are based on establishing and discharg- 
ing assumptions for both components at the same time. The 
remainder of this paper is organized as follows. We first pro- 
vide some background in Section 2, followed by some basic 
compositional proof rules in Section 3. The framework that 
automates these rules is presented in Section 4. Section 5 
introduces rules that optimize and extend the basic rules. 
Finally, Section 6 presents related work and Section 7 con- 
cludes the paper. 

2. BACKGROUND 

We use Labeled Transition Systems (LTSs) to model the 
behavior of communicating components in a concurrent sys- 
tem. In this section, we provide background on LTSs and 
their associated operators, and also present how properties 
are expressed and checked in our framework. We also sum- 
marize the learning algorithm that is used to automate our 
compositional verification approach. 

2.1 Labeled Transition Systems 

Let Act be the universal set of observable actions and let 
r denote a local action unobservable to a component’s envi- 
ronment. An LTS M is a quadruple (Q,aM,6,qO) where: 

• Q is a non-empty finite set of states 

• aM C Act is a finite set of observable actions called 
the alphabet of M 

• 6 C Q x aM U {r } x <5 is a transition relation 

• qO £ Q is the initial state 

An LTS M — { Q , aM, S, qO) is non- deterministic if it con- 
tains r- transitions ' or if 3(g, a, q'), (q, a, q") £ 5 such that 
q ^ q" . Otherwise, M is deterministic. 

Traces. A trace t of an LTS M is a sequence of observable 
actions that M can perform starting at its initial state. For 
S C Act, we use ff£ to denote the trace obtained by re- 
moving from t all occurrences of actions a ^ E. The set of 
all traces of M is called the language of M, denoted £ {M). 
We will freely use the expression “a word t is accepted by 
M” to mean that t £ £ ( M ). Note that the empty word is 
accepted by any LTS. 

Parallel Composition. Let M = (Q, aM, S, qO) and M' = 

{ Q',aM',5',qO '). We say that M transits into M' with 
action a, denoted M M' , if and only if (gO,a, gO') £ 5 

and aM = aM' and 6 — S'. 

The parallel composition operator || is a commutative and 
associative operator that combines the behavior of two com- 
ponents by synchronizing the actions common to their al- 
phabets and interleaving the remaining actions. 

Let Mi = (Qi,aMi,5i,q0i) and M 2 — (Q 2 , aM 2 , 5 2 ,q0 2 ) 
be two LTSs. Then Mi || M 2 is an LTS M = { Q , aM,S, qO), 
where Q = Qi x Q 2 , qO = (g0i,g0 2 ), aM = aM\ U aM 2 , 
and 5 is defined as follows, where a is either an observable 
action or r (note that the symmetric rules are implied by 
the fact that the operator is commutative): 


Mi ~^-> M{, a £ aM 2 
Mi || M 2 M[ || M 2 

Mi M[, M 2 M 2 , a£r_ 

Mi || M 2 M[ || M 2 

Note. £ (Mi || M 2 ) = {t | t \ aM\ £ £ (Mi) A t \ aM 2 £ 
£ (M2) A t £ (qMi U qM 2 )*} 

Properties and Satisfiability. A property is also defined 
as an LTS P, whose language £ (P) defines the set of accept- 
able behaviors over aP. An LTS M satisfies P, denoted as 
M \= P, if and only if Vf £ £ {M).t\aP £ £ (P). 

2.2 LTSs and Finite-State Machines 

As will be described in section 4, our proof-rules require the 
use of the “complement” of an LTS. LTSs are not closed 
under complementation (their languages are prefix-closed), 
so we need to define here a more general class of finite-state 
machines (FSMs) and associated operators for our frame- 
work. 

An FSM M is a five tuple (Q, aM, 5, qO , F) where Q, aM, 5, 
and gO are defined as for LTSs, and F C Q is a set of ac- 
cepting states. 

For an FSM M and a word t, we use 5{q,t) to denote 
the set of states that M can reach after reading t start- 
ing at state q. A word t is said to be accepted by an FSM 
M = (Q, aM, 5, qO, F) if 5(q0, t) fl P 5^ 0. Note that in the 
following sections, the term trace is often used to denote a 
word. The language accepted by M, denoted £ (M) is the 
set {t \ S(qO, t) fl F 5^ 0}. 

For an FSM M = (Q,aM,5,qO, F), we use LTS(M) to de- 
note the LTS (Q, aM, <5, gO) defined by its first four fields. 
Note that this transformation does not preserve the lan- 
guage of the FSM. On the other hand, an LTS is in fact a 
special instance of an FSM, since it can be viewed as an FSM 
for which all states are accepting. From now on, whenever 
we apply operators between FSMs and LTSs, it is implied 
that the LTS is treated as its corresponding FSM. 

We call an FSM M deterministic iff LTS(M) is deterministic. 

Parallel Composition. Let M\ = {Q\,aMi,5i,q0i,F\) 
and M 2 = (Q2,aM2,S2,q0 2 , FT) be two FSMs. Then Mi || 
M 2 is an FSM M = ( Q,aM,8,qO,F ), where: 

• (Q,aM,S,qO) = LTS {Mi) || LTS{M 2 ), and 

• F = {(si, s 2 ) £ Qi x Q 2 I si £ Pi A s 2 £ P2}. 

Note. £(Mi ||-M 2 ) = {t | t\aM\ € £(Mi) At\aM 2 £ 

£ (M 2 ) A t £ ( aMi U aM 2 )*} 

Satisfiability. For FSMs M and P where aP C aM, M |= 

P if and only if Vf £ £ ( M).t\aP £ £ (P). 

Complementation. The complement of an FSM (or an 
LTS) M, denoted coM, is an FSM that accepts the com- 
plement of M’s language. It is constructed by first making 



M deterministic, subsequently completing it with respect 
to aM, and finally turning all accepting states into non- 
accepting ones, and vice-versa. An automaton is complete 
with respect to some alphabet if every state has an outgo- 
ing transition for each action in the alphabet. Completion 
typically introduces a non-accepting state and appropriate 
transitions to that state. 

2.3 The L* Algorithm 

In Section 4, we present a framework that automates com- 
positional reasoning using a learning algorithm. 

The learning algorithm (L*) used by our approach was de- 
veloped by Angluin [2] and later improved by Rivest and 
Schapire [22], L* learns an unknown regular language ( U 
over an alphabet £) and produces a deterministic FSM C 
such that L{C) = U . L* works by incrementally producing 
a sequence of candidate deterministic FSMs Ci, Ci, ... con- 
verging to C. In order to learn U, L* needs a Teacher to 
answer two type of questions. The first type is a member- 
ship query, consisting of a string a 6 IT; the answer is true 
if a £ U, and false otherwise. The second type of question 
is a conjecture , i.e. a candidate deterministic FSM C whose 
language the algorithm believes to be identical to U. The 
answer is true if L (C) = U. Otherwise the Teacher returns 
a counterexample, which is a string a in the symmetric dif- 
ference of £ (C) and U. 

At a higher level, L* creates a table where it incrementally 
records whether strings in E* belong to U. It does this 
by making membership queries to the Teacher. At various 
stages L* decides to make a conjecture. It constructs a can- 
didate automaton C based on the information contained in 
the table and asks the Teacher whether the conjecture is 
correct. If it is, the algorithm terminates. Otherwise, L* 
uses the counterexample returned by the Teacher to extend 
the table with strings that witness differences between L (C) 
and U. 

L* is guaranteed to terminate with a minimal automaton 
C for the unknown language U. Moreover, each candidate 
deterministic FSM Ci that L* constructs is smallest, in the 
sense that any other deterministic FSM consistent with the 
table has at least as many states as Ci. The candidates 
conjectured by L* strictly increase in size; each candidate is 
smaller than the next one, and all incorrect candidates are 
smaller than C . Therefore, if C has n states, L* makes at 
most n — 1 incorrect conjectures. 

3. COMPOSITIONAL PROOF RULES 
3.1 Motivation 

In our previous work on assumption generation and learning 
[12, 8], we used the following basic rule for establishing that 
a property P holds for a (closed) parallel composition of two 
software components Mi and M 2 . 

Rule 0. 

1 : Ml II Am x |= P 

2 : M 2 |= 

Mi || Mi |= P 


Ami denotes an assumption about the environment in which 
Mi is placed. 

In [12], we present an approach to synthesizing the assump- 
tion that a component needs to make about its environment 
for a given property to be satisfied. The assumption pro- 
duced is the weakest, that is, it restricts the environment 
no more and no less than is necessary for the component to 
satisfy the property. The automatic generation of weakest 
assumptions has direct application to the assume-guarantee 
proof. More specifically, it removes the burden of specifying 
assumptions manually thus automating this type of reason- 
ing. 

The algorithm presented in [12] does not compute partial re- 
sults, meaning no assumption is obtained if the computation 
runs out of memory, which may happen if the state-space 
of the component is too large. We address this problem 
in [8], where we present a novel framework for performing 
assume-guarantee reasoning using the above rule in an incre- 
mental and fully automatic fashion. The framework iterates 
a process based on gradually learning assumptions. The 
learning process is based on queries to component Mi and 
on counterexamples obtained by model checking Mi and its 
environment, i.e. component M 2 , alternately. Each iteration 
may conclude that the required property is satisfied or vio- 
lated in the system analyzed. This process is guaranteed to 
terminate; in fact, it converges to an assumption that is nec- 
essary and sufficient for the property to hold in the specific 
system. 

Although sound and complete, Rule 0 is unsatisfactory from 
an automation point of view 2 since it is not symmetric. We 
thus considered whether some form of “circular”, assume- 
guarantee like, rule could be developed. For our framework 
the obvious rule for the parallel composition of two pro- 
cesses, where the assumption of each process is discharged 
by the commitment (or guarantee) of the other, however, is 
unsound. Indeed, we demonstrate the unsoundness of the 
following rule. 

Rule Om. 

1 : Mi || Am x |= P 

2 : Ms II Am 2 h p 

3 : P \= Amt_ 

4 : P j= Am 2 

Mi || M 2 |= P 

Take Mi and M 2 each to be the same process M and the 
property P as illustrated in Figure 1. 

Now take as assumption Am x the behaviour defined by P, 
similarly for Am 2 - Clearly, premises 3 and 4 hold. And 
premises 1 and 2 also hold; the parallel composition of Mi 
with the assumption Am x constrains its behaviour to be 
just that of P, similarly for premise 2. But unfortunately 
the conclusion doesn’t hold since, in our framework, Mi 
composed in parallel with M 2 is the behaviour M again; 

M clearly violates property P since it allows b to occur 

2 It is also unsatisfactory from a formal development point 
of view! 
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Figure 1: Example of process M and property P to 
demonstrate unsoundness of Rule Om 

first, rather than ensuring a does. The circular reasoning 
to discharge the assumptions in this case was unsound. The 
above rule fails for our framework essentially because the 
two components may have common erroneous behaviour(as 
far as the property is concerned) which is (mis-)ruled out by 
assumptions that are overly presumptuous for the particular 
composition. 

3.2 Basic Proof Rule 

In the following we give a symmetric parallel composition 
rule and establish its soundness and completeness for our 
framework. In Section 4 we then outline how the rule can be 
used for automated compositional verification along similar 
lines to the approach given in [8] . 

Rule 1. 

1 : Ml II Ami h p 

2: Mi \\ Am 2 1 = P 

3 : C (.coAmx || coAm 2 ) = 0 

Mi \\M 2 \=P 

Mi , M 2 , A Mi , Am 2 and P are LTSs 3 as defined in the previ- 
ous section; we require aP C aMi U aMr, ocAmi Q (a Mi n 
aMi) U aP and aAu 2 C ( aMi fl aM 2 ) U aP. Informally, 
however, the Am 4 are postulated environment assumptions 
for the components M, to achieve, respectively, property P. 
coAmi denotes the co-assumption for Mi , which is the com- 
plement of Ami ■ Similarly for coAm 2 ■ 

The intuition behind premise 3 stems directly from an un- 
derstanding of the failure of Rule Om; premise 3 ensures that 
the assumptions do not both rule out possible, common, vi- 
olating behaviour from the components. For example, Rule 
Om failed in our example above, because both assumptions 
ruled out common behaviour (6a)* of Mi and M 2 , which 
violates property P. Premise 3 in Rule 1 is a remedy for 
this problem. 

Theorem 1. Rule 1 is sound and complete. 

Proof. To establish soundness, we show that the premises 
together with the negated conclusion leads to a contradic- 
tion. Consider a word t for which the conclusion fails, i.e. t 
is a trace of M\ || Mi that violates property P, in other 

3 except for when Am x , Am 2 and P are false, in which case 
they are represented as FSMs 


words t is not accepted by P. Clearly, by definition of par- 
allel composition, t \ aMi is accepted by Mi . Hence, by 
premise 1, the trace t(aAui can not be accepted by Am x , 
i.e. t\aAMi is accepted by coAm x ■ Similarly, by premise 2, 
the trace t\aAM 2 is accepted by coAm 2 • By the definition 
of parallel composition and the fact that an FSM and its 
complement have the same alphabet, f |'(q:.Am 1 U Am 2 ) will 
be accepted by coAm x || coAm 2 - But premise 3 states that 
there are no common words in the co-sets. Hence we have a 
contradiction. 

Our argument for the completeness of Rule 1 relies upon 
the use of weakest environment assumptions that are con- 
structed in a similar way to [12]. Let WA(M, P) denote the 
weakest environment for M that will achieve property P. 
WA(M, P) is such that, for any environment A, M \\ A \= P 
iff A\= WA(M,P). 

Lemma 1. coW A(M, P ) is the set of all traces over the 
alphabet of W A(M, P) in the context of which M violates 
property P. In other words, this defines the most general 
violating environment for (M, P) . A violating environment 
for (M, P) is one that causes M to violate property P in all 
circumstances. 


To establish completeness, we assume the conclusion of the 
rule and show that we can construct assumptions that will 
satisfy the premises of the rule. In fact, we construct the 
weakest assumptions WAuf'" , resp. WAm 2 , for Mi, resp. 
M 2 , to achieve P, and substitute them for Am x and Am 2 - 
Clearly premises 1 and 2 are satisfied. It remains to show 
that premise 3 holds. Again we proceed by proof by contra- 
diction. Suppose there is a word tin C( co WAm x || coWAm 2 ). 
By definition of parallel composition, t is accepted by both 
coWAm x and co WA m 2 ■ By Lemma 1, t\aP violates prop- 
erty P. Furthermore, there will exist ti e C (Mi || coP) such 
that fi \at = t, where at is the alphabet of the assumptions. 
Similarly for t 2 £ £ (M 2 || coP). ti and t 2 can then be com- 
bined to be a trace t 3 of Mi || M 2 such that t 3 fat = t. But 
if that is so, this contradicts the assumed conclusion that 
Mi || M 2 |= P, since t violates P. Therefore, there can not 
be such a common word t and premise 3 holds. □ 

4. AUTOMATED REASONING 
4.1 Framework 

For the use of Rule 1 to be justified, the assumptions Am x 
and Am 2 must be more abstract than the components that 
they represent, i.e. M 2 and M\ respectively, but also strong 
enough for the three steps of the rule to be satisfied. Devel- 
oping such assumptions is a non-trivial process. We propose 
an iterative approach to automate the application of Rule 
1 . The approach extends the framework of counterexample- 
based learning presented in [8]. As in our previous work 
and as supported by the LTSA model checking tool [19], we 
assume that both properties and assumptions are described 
by deterministic FSMs; this is not a serious limitation since 
any non-deterministic FSM can be transformed to a deter- 
ministic one via the subset construction. 

4 Since the context is clear we abbreviate WA(M, P) as 
WAm- 




Figure 2: Incremental compositional verification 


turned by checking premise 3 and is described in more detail 
below. If an assumption is too strong it must be weakened , 
i.e. behaviors must be added, in the next iteration. The 
result of such weakening will be that at least the behavior 
that the counterexample represents will be allowed by the 
respective assumption produced at the next iteration. The 
new assumption may of course be too weak, and therefore 
the entire process must be repeated. 

4.2 Counterexample analysis 

If premise 3 fails, then we can obtain a counterexample in the 
form of a trace t. Similar to [8], we analyse the trace in order 
to determine how to proceed. We need to determine whether 
the trace t indeed corresponds to a violation in MiHMz- 
This is checked by simulating t on Mi\\coP , for i = 1,2. 
The following cases arise. (1) If t is a violating trace of both 
Mi and M 2 , then Mi and M 2 do indeed have a common bad 
trace and therefore do not compose to achieve P. (2) If t is 
not a violating trace of Mi or M 2 then we use t to weaken 
the corresponding assumption(s). 


To obtain appropriate assumptions, our framework applies 
the compositional rule in an iterative fashion as illustrated 
in Fig. 2. We use a learning algorithm to generate incre- 
mentally an assumption for each component, each of which 
is strong enough to establish the property P, i.e. to discharge 
premises 1 and 2 of Rule 1. 

We have seen in the previous section that Rule 1 is guaran- 
teed to return conclusive results with the weakest assump- 
tions WAm ,, resp. WAm 2 , for Mi, resp. M 2 , to achieve 
P. We therefore use L* to iteratively learn the traces of 
WAmi , resp. WAm 2 - Conjectures are intermediate assump- 
tions A' Ml , resp. A 3 M2 - As in [8], we use model checking to 
implement the Teacher needed by L*. 

At each iteration, L* is used to build approximate assump- 
tions A t Ml and A 3 M2 , based on querying the system and on 
the results of the previous iteration. The first two premises 
of the compositional rule are then checked. Premise 1 is 
checked to determine whether Mi guarantees P in environ- 
ments that satisfy A' Ml . If the result is false, it means that 
this assumption is too weak, i.e. A l Ml does not restrict the 
environment enough for P to be satisfied. The assumption 
therefore needs to be strengthened, which corresponds to re- 
moving behaviours from it, with the help of the counterex- 
ample produced by checking premise 1. In the context of the 
next assumption AJt 1 , component Mi should at least not 
exhibit the violating behaviour reflected by this counterex- 
ample. Premise 2 is checked in a similar fashion, to obtain 
an assumption A 3 M2 such that component M 2 guarantees P 
in environments that satisfy A 3 M2 . 

If both premise 1 and premise 2 hold, it means that A' Ml . 
and A j M2 are strong enough for the property to be satis- 
fied. To complete the proof, premise 3 must be discharged. 

If premise 3 holds, then the compositional rule guarantees 
that P holds in M\ || M 2 . If it doesn’t hold, further anal- 
ysis is required to identify whether P is indeed violated in 
Mi || M 2 or whether either A' Ml or A 3 M are stronger than 
necessary. Such analysis is based on the counterexample re- 


4.3 Discussion 

A characteristic of L* that makes it particularly attractive 
for our framework is its monotonicity. This means that the 
intermediate candidate assumptions that are generated in- 
crease in size; each assumption is smaller than the next one, 
i.e. \A* Ml \ < \A%\ < | WAm x I and |A^| < | A>£\ < 
\WAm 2 \- However, we should note that there is no mono- 
tonicity at the semantic level, i.e. it is not necessarily the 
case that £(A^) C C(A^) or £(A^) C C{A 3 £) hold. 

The iterative process performed by our framework termi- 
nates for the following reason. At any iteration, our algo- 
rithm returns true or false and terminates, or continues by 
providing a counterexample to L*. By the correctness of L*, 
we are guaranteed that if it keeps receiving counterexamples, 
it will eventually, produce WAmi and WAm 2 respectively. 

During this last iteration, premises 1 and 2 will hold by def- 
inition of the weakest assumptions. The Teacher will there- 
fore check premise 3, which will return either true and termi- 
nate, or a counterexample. Since the weakest assumptions 
are used, by. the completeness proof of Rule 1, we know that 
the counterexample analysis will reveal a true error, and 
hence the process will terminate. 

It is interesting to note that our algorithm may terminate 
before the weakest assumptions are constructed via the iter- 
ative learning and refinement process. It terminates as soon 
as two assumptions have been constructed that are strong 
enough to discharge the first two premises but weak enough 
for the third premise to produce conclusive results, i.e. to 
prove the property or produce a real counterexample; these 
assumptions are smaller (in size) than the weakest assump- 
tions. 

5. VARIATIONS 

In Section 3 we established that Rule 1 is sound and com- 
plete for our framework and in Section 4 we showed its ap- 
plicability for the automated learning approach to composi- 
tional verification. However, we need to explore and under- 
stand its effectiveness in our automated compositional verifi- 







cation approach. In this section we introduce some straight- 
forward modifications to the rule, maintaining soundness 
and completeness of course, that may remove unnecessary 
assumption refinement steps and therefore result in a prob- 
able overall improvement in performance. 

5.1 First Modification 

Our first variation, Rule la given below, relaxes the third 
premise by requiring that any common “bad” trace, as far 
as the assumptions are concerned, satisfies the property P. 
The intuition behind this is that the assumptions may well 
have been overly restrictive and therefore there may be com- 
mon behaviours of Mi and M 2 , ruled out by the assump- 
tions, that do indeed satisfy the property P. 

Rule la. 

1 : Ml || A Ul |= P 

2 : M a || Am 2 |= P 

3 : C ( coAmi || coAm 2 ) C C (P) 

Mi || M 2 \=P 

Theorem 2. Rule la is sound and complete. 

Proof. Follows easily from the soundness and complete- 
ness proofs for Rule 1. □ 

Rule lb. 

1 : Mi || Ami f= P 

2 : M 2 || Am 2 N P 

3 : Ml II coAmi \= Am 2 or M 2 [[ coAm 2 |= A Mi 

Mi |j Ma |= P 

In essence, in this variation, premise 3 effectively now checks 
whether any trace in the intersection of the co-assumptions 
is an illegal behaviour of either component, rather than 
it just satisfying the property. Notice that the disjunct 
M\ || coAmi f= Am 2 is equivalent to L (coAm x || coAm 2 ) C 
L(Mi), similarly for the other disjunct. We’ve used this 
particular form for the disjuncts because of similarity with 
assumption discharge. 

Theorem 3. Rule lb is sound and complete. 

Proof. Similar to proofs of Theorems 1 and 2. □ 

Incorporation of Rules la and lb. 

Rule la can easily be incorporated into our incremental com- 
positional verification framework. Step 3 of Fig. 2 is followed 
by an extra step, Step 4, for the case when the intersection 
of the co-assumptions is not empty. Step 4 checks whether 
the intersection satisfies the given property: if it returns true 
then we terminate, otherwise continue with counter-example 
analysis and assumption refinement. In order to incorporate 
Rule lb, we simply include a further check to discharge one 
of the disjuncts of the rule’s third premise. 

Clearly these “optimisation” s may result in the verification 
process terminating after fewer learning iterations. On the 


other hand there will be some increased overhead in per- 
forming the extra checks on each weakening iteration. These 
issues will be analysed more fully in our future implementa- 
tion of this incremental approach. 

5.2 Further Variation 

Suppose we are now given components, M\ and M 2 , with 
associated properties, Pi and P 2 . The following composition 
rule can be used to establish that property Pi || P 2 holds for 
Mi || M 2 . 

Rule 2. 

1 : Mi || Am |= Pi 

2 : M 2 || Am 2 h Pi 

3 : Mi || Am 1 1= Am 2 

4 : M 2 II Am 2 |= Am x 

5 : L ( coAmi || coAm 2 ) = 0 

Mi || M 2 F Pi II Pi 

where we require aPi C aMi, a P 2 C aM 2 , q.Am x C olM\ n 
qM 2 and ccAm 2 Q aMi D aM 2 . 

THEOREM 4. Rule 2 is sound and complete. 

Proof. Soundness is established by contradiction, in a 
similar way to the soundness results for Rules 1, la and lb. 
We outline the steps. We also abuse and simplify notation 
by omitting the projections of traces onto the appropriate 
alphabets. 

We assume the properties Pi and P 2 are not contradictory, 

i.e. £(Pi || P 2 ) is not empty, or all behaviours are not er- 
roneous. Further, assume the conclusion does not hold, i.e. 
Mi || M 2 Pi || P 2 . There then exists a trace t of Mi || M 2 
s.t. t is in not accepted by Pi || P 2 . There are three sub- 
cases to consider. 

1. t not in Pi and t not in P 2 

2. t not in Pi and t in P 2 

3. t in Pi and t not in P 2 

The first case contradicts premise 5. By premise 1, t not in 
Pi means t is not a trace of Mi || Am l • But since t is a 
trace of Mi || M 2 and hence of Mi, then t must be accepted 
by coAm-i- Similarly, by premise 2, t must be accepted by 
coAm 2 ■ But this now contradicts premise 5. 

For the second case, and similarly for the third case, we will 
show a contradiction of premise 4, resp. premise 3. As for 
the first case, by premise 1 if t is not in Pi and t in Mi then 
t must be accepted by coAm x - As t in P 2 , t is accepted by 
M 2 || Am 2 ■ Hence, by premise 4, t is in Am x ■ But t can’t be 
both in Am x and in coAm x ■ The mirror argument follows 
for the third case. 

Observe that if premises 3 and 4 were not present, as in the 
case of rule 1, then soundness is not obtained. 



Completeness follows by constructing the. weakest assump- 
tions WAm x , resp. WAm 2 , for Mi, resp. M 2 , to achieve Pi, 
resp. P 2 , and substituting them for Am x and Am 2 - We can 
then show that if the rule’s conclusion holds, then so do the 
premises. □ 


It is interesting to note that if premises 3 and 4 of Rule 
2 are modified to be in the more usual form of guarantee 
discharging assumption, i.e. Pi |= Am 2 and P 2 (= Am 2 , 
then the rule is not complete. 

As was the case with Rule 1, we can weaken premise 5 of 
Rule 2 to obtain similar rules to Rule la and Rule lb. 

6. HISTORICAL PERSPECTIVE 

Over two decades ago, the quest for obtaining sound and 
complete compositional program proof systems, in various 
frameworks, remained open. The foundational work on proof 
systems for concurrent programs, for example [3, 20, 18], 
whilst not achieving compositional rules, introduced key no- 
tions of meta-level co-operation proofs and non-interference 
proofs. These meta-level proofs were carried out using pro- 
gram code and intermediate assertions from the proofs of 
the sequential processes. Assumption-commitment, or rely- 
guarantee, style specifications, in addition to pre- and post- 
conditions, were then introduced to capture the essence of 
the meta-level co-operation and non-interference proofs, lift- 
ing the assumptions that were implicitly made in the sequen- 
tial proof outlines to be an explicit part of the specification. 
Program proof systems, built over such extended specifi- 
cations, were then developed to support the stepwise, or 
hierarchical, development of concurrent, or distributed, pro- 
grams, see for example [16, 25, 4, 23]. The development of 
such compositional proof systems continues to this day and 
the interested reader should consult [10] for an extensive and 
detailed coverage. 

In recent years, there has been a resurgence of interest in 
formal techniques, and in particular assume-guarantee rea- 
soning, for supporting component-based design: see for ex- 
ample [9]. Even though various sound and often complete 
proof systems have been developed for this style of reason- 
ing, more often than not it is a mental challenge to obtain 
the most appropriate assumptions [15]. It is even more of a 
challenge to find automated techniques to support this style 
of reasoning. The thread modular reasoning underlying the 
Calvin tool [11] is one start in this direction. One way of 
addressing both the design and verification of large systems 
is to use their natural decomposition into components. For- 
mal techniques for support of component-based design are 
gaining prominence, see for example [9]. In order to reason 
formally about components in isolation, some form of as- 
sumption (either implicit or explicit) about the interaction 
with, or interference from, the environment has to be made. 
Even though we have sound and complete reasoning sys- 
tems for assume-guarantee reasoning, see for example [16, 
21, 6, 14], it is always a mental challenge to obtain the most 
appropriate assumption [15]. 

It is even more of a challenge to find automated techniques 
to- support this style of reasoning. The thread modular rea- 
soning underlying the Calvin tool [11] is one start in this 


direction. The Mocha toolkit [1] provides support for mod- 
ular verification of components. 

The problem of generating an assumption for a component 
is similar to the problem of generating component interfaces 
to deal with intermediate state explosion in CRA. Several 
approaches have been defined for automatically abstract- 
ing a component’s environment to obtain interfaces [5, 17], 
These approaches do not address the incremental refinement 
of interfaces. 

Learning in the context of model checking has also been in- 
vestigated in [13], but with a different goal. In that work, 
the L* Algorithm is used to generate a model of a software 
system which can then be fed to a model checker. A confor- 
mance checker determines if the model accurately describes 
the system. 

7. CONCLUSIONS AND FUTURE WORK 

Although theoretical frameworks for sound and complete 
assumption-commitment reasoning have existed for many 
years, their practical impact has been limited because they 
involve non-trivial human interaction. In this paper, we 
have presented a new set of sound and complete proof rules 
for parallel composition that support a fully automated ver- 
ification approach based upon such a reasoning style. The 
automation approach extends and improves upon our previ- 
ous work that introduced a learning algorithm to generate 
and refine assumptions based on queries and counterexam- 
ples, in an iterative process. The process is guaranteed to 
terminate, and return true if a property holds in a system, 
and a counterexample otherwise. If memory is insufficient to 
reach termination, intermediate assumptions are generated, 
which may be useful in approximating the requirements that 
a component places on its environment to satisfy certain 
properties. 

One advantage of our approach is its generality. It relies 
on standard features of model checkers, and could therefore 
easily be introduced in any such- tool. For example, we are 
currently in the process of implementing it in the LTSA. The 
architecture of our framework is modular, so its components 
can easily be substituted by more efficient ones. 

We have implemented our framework within the LTSA tool 
and over the coming months we will conduct a number of ex- 
periments to establish the practical effectiveness of our new 
composition rule and its variations. We need to understand 
better the various trade-offs between the increased overhead 
of additional premise testing and the computational savings 
from earlier termination of the overall process. In addi- 
tion, we need to investigate known variants of our rules for 
iV-process compositions, again considering various practical 
tradeoffs in implementation terms. Of course, an interesting 
challenge will also be to extend the types of properties that 
our framework can handle to include liveness, fairness, and 
timed properties. 
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